Hacking CloudKit: How I accidentally deleted your Apple shortcuts
labs.detectify.com> But remember that I mentioned different APIs talked with CloudKit differently?
As this sentence is the cause of most the bugs in the post I begin to question how they implemented their gateway so that a different endpoint results in a totally different authorization scope. That just screams „auth bug“.
Wow, I remember this happening! That is truly funny to me that it was because of a security researcher accidentally triggering this massive bug.
Great write up, and kudos to apple for not suing him but paying out the bug bounties.